Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the - - PowerPoint PPT Presentation

improved cryptanalysis of py
SMART_READER_LITE
LIVE PREVIEW

Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the - - PowerPoint PPT Presentation

May 01, 2023 482 likes •870 views

Py SPP attack Improving on the attack Improved Cryptanalysis of Py Paul Crowley LShift Ltd State of the Art in Stream Ciphers 2006 Py SPP attack Improving on the attack Py eSTREAM entrant by Eli Biham and Jennifer Seberry Fast in

slide-1
SLIDE 1

Py SPP attack Improving on the attack

Improved Cryptanalysis of Py

Paul Crowley

LShift Ltd

State of the Art in Stream Ciphers 2006

slide-2
SLIDE 2

Py SPP attack Improving on the attack

Py

✎ eSTREAM entrant by Eli Biham and Jennifer Seberry ✎ Fast in software (2.6 cycles/byte on some platforms) ✎ SPP attack: 288 bytes of output ✎ Our attack: 272 bytes

slide-3
SLIDE 3

Py SPP attack Improving on the attack

Output

P O1 O2

slide-4
SLIDE 4

Py SPP attack Improving on the attack

Update

P P

slide-5
SLIDE 5

Py SPP attack Improving on the attack

SPP attack

✎ Gautham Sekar, Souradyuti Paul, Bart Preneel ✎ Defines event L with Pr❬L❪ ✙ 241✿91 ✎ When L occurs, two output bits are the same

slide-6
SLIDE 6

Py SPP attack Improving on the attack

Event L (1)

S S P

slide-7
SLIDE 7

Py SPP attack Improving on the attack

Event L (2)

S A A A B B B O1❀1 O2❀3

slide-8
SLIDE 8

Py SPP attack Improving on the attack

Result of event L

S A B O1❀1 O2❀3

slide-9
SLIDE 9

Py SPP attack Improving on the attack

Improving on the attack

✎ Use all bits of O1❀1❀ O2❀3 ✎ Group output by column bitwise ✎ Find exact probability Pr❬O1❀1❀ O2❀3 ❂ o1❀1❀ o2❀3❥L❪ ✎ Apply optimal distinguisher

slide-10
SLIDE 10

Py SPP attack Improving on the attack

Addition

❬c❪0 ❬c❪1 ❬c❪2 ❬c❪3 ❬X❪0 ❬Y❪0 ❬X ✰ Y❪0 ❬X❪1 ❬Y❪1 ❬X ✰ Y❪1 ❬X❪2 ❬Y❪2 ❬X ✰ Y❪2 ❬X❪3 ❬Y❪3 ❬X ✰ Y❪3

slide-11
SLIDE 11

Py SPP attack Improving on the attack

Carry propagation

❬S❪i ❬A❪i ❬B❪i ❬O1❀1❪i ❬O2❀3❪i ❬c1❪i ❬c3❪i ❬c1❪i✰1 ❬c3❪i✰1

slide-12
SLIDE 12

Py SPP attack Improving on the attack

Carry propagation

❬S❪i ❬A❪i ❬B❪i ❬O1❀1❪i ❬O2❀3❪i ❬c1❪i ❬c3❪i ❬c1❪i✰1 ❬c3❪i✰1

slide-13
SLIDE 13

Py SPP attack Improving on the attack

Hidden Markov model

0❀ 0 0❀ 0 1❀ 0 1❀ 0 1 1 1

1 2 1 8 1 8

slide-14
SLIDE 14

Py SPP attack Improving on the attack

Hidden Markov model

0❀ 0 0❀ 0 1❀ 0 1❀ 0 1 1 1

1 2 1 8 1 8

slide-15
SLIDE 15

Py SPP attack Improving on the attack

The forward algorithm

Pr ✔ 1 1 1 ✕ ❂ 11✂4M1❀0M0❀0M1❀1✙0 where 11✂4 ❂

  • 1

1 1 1 ✁ and ✙0 ❂ ✵ ❇ ❇ ❅ 1 ✶ ❈ ❈ ❆

slide-16
SLIDE 16

Py SPP attack Improving on the attack

Optimal distinguisher

✎ Thomas Baignères, Pascal Junod, Serge Vaudenay ✎ Optimal distinguisher chooses the distribution which has

the highest probability of producing the observed output

slide-17
SLIDE 17

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2

slide-18
SLIDE 18

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2 ❥❩❥1 ❥❩❥1 ❥❩❥1

slide-19
SLIDE 19

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2 ❥❩❥1 ❥❩❥1 ❥❩❥1 ❥❩❥3

slide-20
SLIDE 20

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2 ❥❩❥1 ❥❩❥1 ❥❩❥1 ❥❩❥3 Pr❬s0❥L❪ Pr❬s1❥L❪ Pr❬s2❥L❪

slide-21
SLIDE 21

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2 ❥❩❥1 ❥❩❥1 ❥❩❥1 ❥❩❥3 Pr❬s0❥L❪ Pr❬s1❥L❪ Pr❬s2❥L❪ ❥❩❥1 ❥❩❥1 ❥❩❥1

slide-22
SLIDE 22

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2 ❥❩❥1 ❥❩❥1 ❥❩❥1 ❥❩❥3 Pr❬s0❥L❪ Pr❬s1❥L❪ Pr❬s2❥L❪ ❥❩❥1 ❥❩❥1 ❥❩❥1 Pr❬s0❪ Pr❬s1❪ Pr❬s2❪

slide-23
SLIDE 23

Py SPP attack Improving on the attack

Optimal distinguisher

s0 s1 s2 ❥❩❥1 ❥❩❥1 ❥❩❥1 ❥❩❥3 Pr❬s0❥L❪ Pr❬s1❥L❪ Pr❬s2❥L❪ ❥❩❥1 ❥❩❥1 ❥❩❥1 Pr❬s0❪ Pr❬s1❪ Pr❬s2❪ Pr❬s0 ❫ s1 ❫ s2❪

slide-24
SLIDE 24

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

✎ Where distribution is “close” to uniform random, efficacy

☞ ❂ ❥❩❥ P

z✷❩

✏ Pr❬z❪

1 ❥❩❥

✑2

☞ ❂ ❬ ❪

  • ❥❩❥

P

✷❩

❬ ❥ ❪ ✁

☞ ❂ ❬ ❪

slide-25
SLIDE 25

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

✎ Where distribution is “close” to uniform random, efficacy

☞ ❂ ❥❩❥ P

z✷❩

✏ Pr❬z❪

1 ❥❩❥

✑2

✎ Need around 2

☞ samples

☞ ❂ ❬ ❪

  • ❥❩❥

P

✷❩

❬ ❥ ❪ ✁

☞ ❂ ❬ ❪

slide-26
SLIDE 26

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

✎ Where distribution is “close” to uniform random, efficacy

☞ ❂ ❥❩❥ P

z✷❩

✏ Pr❬z❪

1 ❥❩❥

✑2

✎ Need around 2

☞ samples

✎ Both distinguishers: ☞ ❂ Pr❬L❪2

❥❩❥ P

z✷❩ Pr❬z❥L❪2✁

1 ✁

☞ ❂ ❬ ❪

slide-27
SLIDE 27

Py SPP attack Improving on the attack

Efficacy of optimal distinguisher

✎ Where distribution is “close” to uniform random, efficacy

☞ ❂ ❥❩❥ P

z✷❩

✏ Pr❬z❪

1 ❥❩❥

✑2

✎ Need around 2

☞ samples

✎ Both distinguishers: ☞ ❂ Pr❬L❪2

❥❩❥ P

z✷❩ Pr❬z❥L❪2✁

1 ✁

✎ SPP attack: ☞ ❂ Pr❬L❪2 so around 285 samples

slide-28
SLIDE 28

Py SPP attack Improving on the attack

Efficacy of our distinguisher

z✷❩

Pr❬z❥L❪2 ❂ ❳ ✭

✿ ✿ ✿ ✙ ✮ ❂ ❳ ✭

✿ ✿ ✿ ✙ ✮ ✭

✿ ✿ ✿ ✙ ✮ ❂ ❳ ✏

✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿

✑ ❂

❳ ✏ ✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿ ✑

✷ ❢

❀ ❀ ❀ ❀ ❀ ❀ ❀ ❣

slide-29
SLIDE 29

Py SPP attack Improving on the attack

Efficacy of our distinguisher

z✷❩

Pr❬z❥L❪2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮2 ❂ ❳ ✭

✿ ✿ ✿ ✙ ✮ ✭

✿ ✿ ✿ ✙ ✮ ❂ ❳ ✏

✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿

✑ ❂

❳ ✏ ✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿ ✑

Mi ✷ ❢M0❀0❀ M0❀1❀ M1❀0❀ M1❀1❣

slide-30
SLIDE 30

Py SPP attack Improving on the attack

Efficacy of our distinguisher

z✷❩

Pr❬z❥L❪2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮T ❂ ❳ ✏

✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿

✑ ❂

❳ ✏ ✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿ ✑

Mi ✷ ❢M0❀0❀ M0❀1❀ M1❀0❀ M1❀1❣

slide-31
SLIDE 31

Py SPP attack Improving on the attack

Efficacy of our distinguisher

z✷❩

Pr❬z❥L❪2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮T ❂ ❳ ✏ 11✂4M31M30 ✿ ✿ ✿ M0✙0✙T

0 MT 0 ✿ ✿ ✿ MT 30MT 311T 1✂4

✑ ❂

❳ ✏ ✿ ✿ ✿ ✙ ✙ ✿ ✿ ✿ ✑

Mi ✷ ❢M0❀0❀ M0❀1❀ M1❀0❀ M1❀1❣

slide-32
SLIDE 32

Py SPP attack Improving on the attack

Efficacy of our distinguisher

z✷❩

Pr❬z❥L❪2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮2 ❂ ❳ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮ ✭11✂4M31M30 ✿ ✿ ✿ M0✙0✮T ❂ ❳ ✏ 11✂4M31M30 ✿ ✿ ✿ M0✙0✙T

0 MT 0 ✿ ✿ ✿ MT 30MT 311T 1✂4

✑ ❂ 11✂4 ❳ ✏ M31M30 ✿ ✿ ✿ M0✙0✙T

0 MT 0 ✿ ✿ ✿ MT 30MT 31

✑ 1T

1✂4

Mi ✷ ❢M0❀0❀ M0❀1❀ M1❀0❀ M1❀1❣

slide-33
SLIDE 33

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi ❂ ❳ Mi1Mi2 ✿ ✿ ✿ M1M0✙0✙T

0 MT 0 MT 1 ✿ ✿ ✿ MT i2MT i1

❂ ✙ ✙

❂ ❳

✷❢

❀ ❀ ❀ ❀ ❀ ❀ ❀ ❣

☞ ❂ ❬ ❪ ✏ ✏

✂ ✂

✙ ❬ ❪

slide-34
SLIDE 34

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi ❂ ❳ Mi1Mi2 ✿ ✿ ✿ M1M0✙0✙T

0 MT 0 MT 1 ✿ ✿ ✿ MT i2MT i1

H0 ❂ ✙0✙T

❂ ❳

✷❢

❀ ❀ ❀ ❀ ❀ ❀ ❀ ❣

☞ ❂ ❬ ❪ ✏ ✏

✂ ✂

✙ ❬ ❪

slide-35
SLIDE 35

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi ❂ ❳ Mi1Mi2 ✿ ✿ ✿ M1M0✙0✙T

0 MT 0 MT 1 ✿ ✿ ✿ MT i2MT i1

H0 ❂ ✙0✙T Hi✰1 ❂ ❳

M✷❢M0❀0❀M0❀1❀M1❀0❀M1❀1❣

MHiMT ☞ ❂ ❬ ❪ ✏ ✏

✂ ✂

✙ ❬ ❪

slide-36
SLIDE 36

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi ❂ ❳ Mi1Mi2 ✿ ✿ ✿ M1M0✙0✙T

0 MT 0 MT 1 ✿ ✿ ✿ MT i2MT i1

H0 ❂ ✙0✙T Hi✰1 ❂ ❳

M✷❢M0❀0❀M0❀1❀M1❀0❀M1❀1❣

MHiMT ☞ ❂ Pr❬L❪2 ✏ 264 ✏ 11✂4H321T

1✂4

✑ 1 ✑ ✙ ❬ ❪

slide-37
SLIDE 37

Py SPP attack Improving on the attack

Efficacy of our distinguisher

Hi ❂ ❳ Mi1Mi2 ✿ ✿ ✿ M1M0✙0✙T

0 MT 0 MT 1 ✿ ✿ ✿ MT i2MT i1

H0 ❂ ✙0✙T Hi✰1 ❂ ❳

M✷❢M0❀0❀M0❀1❀M1❀0❀M1❀1❣

MHiMT ☞ ❂ Pr❬L❪2 ✏ 264 ✏ 11✂4H321T

1✂4

✑ 1 ✑ ✙ 60552 Pr❬L❪2

slide-38
SLIDE 38

Py SPP attack Improving on the attack

Conclusions

✎ We can efficiently calculate the efficacy of HMM-based

distinguishers

✎ Distinguisher advantage is 0.53 given 264 bytes from 28

key/IV pairs

✎ Advantage is 0.03 given a single 264-byte stream ✎ Can this be improved still further? http://www.ciphergoth.org/crypto/py